Re: Article - "skype killer" carrier grade app filter

[Fred Heutte]

The cover story of the Economist this week (with a typical dollop
of hype called "How the internet killed the phone business") is
about Skype and VOIP as a "disruptive technology" (in Clayton
Christensen's sense) that is upending the wireline world but is
even more of a threat to the mobile/cellular carriers.

Skype has only a modest presence in the US now but the
worldwide numbers are pretty staggering:

  Sandvine, a telecoms-equipment firm, estimates that there are
  1,100 VOIP providers in America alone. But the trend is
  worldwide. IDC, a market-research firm, predicts that the
  number of residential VOIP subscribers in America will grow
  from 3m at the end of 2005 to 27m by the end of 2009; Japan
  already has over 8m subscribers today. Worldwide, according to
  iSuppli, a market-research firm, the number of residential VOIP
  subscribers will reach 197m by 2010. Even these numbers,
  however, do not include people using VOIP without subscribing
  to a service (ie, by downloading free software from Google,
  Skype or others). Skype alone has 54m users.

http://www.economist.com/displaystory.cfm?story_id=4400704

Well, actually projected to have 54 million by December, up
from about 15 million at the beginning of the year.  These are
the growth rates claimed for the net 10 years ago but which we
knew were overblown.

Of course not all of those "users" go much further than
downloading something and maybe trying it out.  But obviously the
Bell business model is dwindling fast and the life of the network
operator only gets more, um, interesting.

Fred

Re: router worms and International Infrastructure

[Gadi Evron]

Subnetwork specific worms?  I only want to take down as1,
as2 and as3, for example, rather than a large-scale
'internet killer' outage.


Almost a year ago we had a crisis in Israel where something caused ONLY 
Israeli ISP clients to stop being able to use their DSL connections, and 
on the SAME DAY.


We believe it was a targeted worm.

Who said this can't happen? It already did. The biggest impact was the 
help desks being DDoS'd.


Gadi.

Re: router worms and International Infrastructure

[Scott Weeks]

- Original Message Follows -
From: "Christopher L. Morrow" <[EMAIL PROTECTED]>
Subject: Re: router worms and International Infrastructure
Date: Tue, 20 Sep 2005 02:41:44 + (GMT)
> On Tue, 20 Sep 2005, Gadi Evron wrote:

> I can, but my name isn't randy bush :) Actually what I was
> thinking was: ISP's business depends upon their (and
> others actually) network working properly, for them large
> scale 'internet killer' outages are not a good thing. They


Subnetwork specific worms?  I only want to take down as1,
as2 and as3, for example, rather than a large-scale
'internet killer' outage.

scott

Re: router worms and International Infrastructure

[Gadi Evron]

So, how isn't it being addressed?


The idea of Critical Infrastructure gets addressed in many countries. 
Some of them do not include ISP's in the equation as they are a private 
business. Some day, but can't force ISP's to cooperate.


Whatever gets done and re-done is local, whether by ISP or country and 
there is almost nothing getting done to treat this as a global, macro 
problem, and actually put in measures to combat it.


Hence International Infrastructure.

Gadi.

Re: router worms and International Infrastructure

[Christopher L. Morrow]

On Mon, 19 Sep 2005 [EMAIL PROTECTED] wrote:

> On Mon, 19 Sep 2005 21:16:57 -, "Christopher L. Morrow" said:
>
> > I'm curious as to why people think that the problem isn't being addressed?
>
> This one is amenable to "Pentagon Pizza" analysis, similar to the big
> flurry of IOS patching around April of last year for the RST issue.
>
> Anybody been seeing flaps/burbs with their Tier1 peers during maintenance
> windows the last few days? :)

what, for that silly cisco worm? I mean... uhm... nevermind.

Re: router worms and International Infrastructure

[Valdis . Kletnieks]

On Mon, 19 Sep 2005 21:16:57 -, "Christopher L. Morrow" said:

> I'm curious as to why people think that the problem isn't being addressed?

This one is amenable to "Pentagon Pizza" analysis, similar to the big
flurry of IOS patching around April of last year for the RST issue.

Anybody been seeing flaps/burbs with their Tier1 peers during maintenance
windows the last few days? :)


pgp8Pmk9H2Sgd.pgp
Description: PGP signature

Re: 209.68.1.140 (209.68.1.0 /24) blocked by bellsouth.net for SMTP

[Suresh Ramasubramanian]

On 20/09/05, Alan Spicer <[EMAIL PROTECTED]> wrote:
> 
> I wonder if anyone with Bellsouth.net can tell me why this ip or /24
> 
> 209.68.1.140 (209.68.1.0 /24)
> 
> would be blocked from sending SMTP to bellsouth.net customers.
> 

That's a large (and quite good) webhost called pair.com, which also
hosts the Pittsburgh IX (pitx.net)

http://www.pair.com/support/notices/blocked-email.html

Blocking is fine - happens.  Postmaster and other role accounts not
replying at all to email that they're sent is just not a good thing to
do.

--srs
-- 
Suresh Ramasubramanian ([EMAIL PROTECTED])

Re: router worms and International Infrastructure

[Christopher L. Morrow]

On Mon, 19 Sep 2005, Florian Weimer wrote:

> * Christopher L. Morrow:
>
> > I'm curious as to why people think that the problem isn't being
> > addressed?
>
> Do you see a business case for ISPs to help mass-market customers to
> clean up their infected PCs?

Nope, but I see a business case for software vendors to fix their
problems, and for education of the people that are a problem. I'm not sure
it'll fix the problem either, but blocking ports hasn't been wholey
effective either, especially not when you consider RPC-over-http now :(
hurray!

>
> I still hear claims from the ISP folks that anything but prevention
> isn't viable, and all available data suggests that prevention is an

Mostly this is probably true. Consumer ISP's are in a rough battle of
idiots/users versus 'next exploit against the most common platform
deployed'. Sure there are stupidities committed by other than software
vendors (how many routers have login passwd: cisco and no vty acl? How
many cayman/dsl routers are out there with default userid/passwd and
remove management enabled? How many wireless AP's are there with default
admin setup? ... for fun, try the one at the Baron's Cove Inn in Sag
Harbor... poor folks :( )

The issue of 'are consumer users getting better/worse/owned/deleted' isn't
really the problem, the issue is "Is the Internet being treated as
'Critical Infrastructure' by some people in a position to make it
'better'?"

I'd say that yes, there are lots of folks that consider their little piece
of the Internet to be 'critical' and who are making steps where they can
to ensure it's protected to the best of their ability. Just because folks
aren't out beating drums daily doesn't mean the work isn't getting done.

So, what leads you to believe it's NOT getting
fixed/looked-at/worked/considered?

> utter and complete failure.  (Okay, maybe I'm exaggerating a bit, but
> you get the idea.)

I think Sean Donelan has some numbers about this... or we could google
search the nanog archives :)

Re: router worms and International Infrastructure

[Christopher L. Morrow]

On Tue, 20 Sep 2005, Gadi Evron wrote:

> > I'm curious as to why people think that the problem isn't being addressed?
>
> Can you be any more cryptic?
> :)

I can, but my name isn't randy bush :) Actually what I was thinking was:
ISP's business depends upon their (and others actually) network working
properly, for them large scale 'internet killer' outages are not a good
thing. They employee (larger ISP's atleast) folks to think about this
problem and plan reaction to it even plan preventitive measures for it
:)

Oh, and atleast the US and UK Gov'ts are interested in 'infrastructure',
though often their interest ends with the phrase: "Someone should make a
law..." at which point the ISP person(s) say: "And I'll move my  off to the Cayman
Islands/Russia/China where your 'law' doesn't matter... so lets make this
solution not about the 'law' so much as making people realize it's the
best thing to do."

So, how isn't it being addressed?

Re: IOS worm clarification

[Henry Linneweh]

Andre;
Thanks for your review and language skills in this
area, the article translated was even a mess
on babelfish and left more questions than answers

-Henry

--- "J. Oquendo" <[EMAIL PROTECTED]> wrote:

> 
> 
> /
> From: Andrei Mikhailovsky <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-disclosure] Cisco IOS hacked?
> 
> Hello,
> 
> Being a co-author of the "Hacking Exposed Cisco
> Networks" book and one
> of the co-founders of Arhont Ltd an Information
> Security Company that is
> doing the research for the book on Cisco Devices I
> have to make the
> following comments about the article in
> SecurityLab.ru:
> 
> The russian article
> (http://www.securitylab.ru/news/240415.php) has been
> badly paraphrased from the livejournal of one of the
> authors/researchers
> of the book. As a result of this outrageously
> inaccurate paraphrasing of
> the article many confusions and misunderstandings
> have been circling on
> the security related sources and mailing lists.
> 
> 
> Some of the issues addressed in the article are true
> and Arhont is
> currently preparing a formal advisory that will be
> sent to PSIRT.
> 
> 
> Among the discovered issues are multiple
> vulnerabilities in EIGRP
> implementation. Also, authors have addressed the
> _theoretical_ aspects
> of an algorithm for cross-platform worm that could
> spread in IOS based
> devices. The existence of the practical
> implementation of such warm is a
> complete lie. Let me assure that there has been no
> development nor the
> desire to develop such code by the authors of the
> book. The theoretical
> methodology and algorithms will be also discussed
> with PSIRT at the
> appropriate time.
> 
> 
> In addition, there has been some minor
> inconsistencies of the
> livejournal postings that will be soon addressed and
> edited.
> 
> If you have any comments on this topic we would be
> glad to address them.
> 
> --
> Andrei Mikhailovsky
> Arhont Ltd - Information Security
> /
> 
> 
> 
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> GPG Key ID 0x97B43D89
>
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89
> 
> "Just one more time for the sake of sanity tell me
> why
>  explain the gravity that drove you to this..."
> Assemblage
> 

Re: router worms and International Infrastructure

[Florian Weimer]

* Christopher L. Morrow:

> I'm curious as to why people think that the problem isn't being
> addressed?

Do you see a business case for ISPs to help mass-market customers to
clean up their infected PCs?

I still hear claims from the ISP folks that anything but prevention
isn't viable, and all available data suggests that prevention is an
utter and complete failure.  (Okay, maybe I'm exaggerating a bit, but
you get the idea.)

Re: router worms and International Infrastructure

[Gadi Evron]

I'm curious as to why people think that the problem isn't being addressed?


Can you be any more cryptic?
:)

Re: router worms and International Infrastructure

[Christopher L. Morrow]

On Mon, 19 Sep 2005, Florian Weimer wrote:

>
> * Gadi Evron:
>
> > I would really like to hear some thoughts from the NANOG community on
> > threats such as the one described above. Let us not get into an argument
> > about 0-days and consider how many routers are actually patched the
> > first... day.. week, month? after a vulnerability is released.
>
> The bad guys obviously aren't interested in taking down the Internet.
> I wouldn't worry too much. 8-)
>
> > I don't want the above to sound as FUD. My point is not to yell "death
> > of the Internet" but rather to get some people moving on what I believe
> > to be a threat, and considering it on a broader scale is LONG over-due.
>

I'm curious as to why people think that the problem isn't being addressed?

> I would ask some people who have experienced meltdowns on large-scale
> networks, due to Slammer, Blaster or something else.  Basically, what
> do you do when you don't have management access to your network gear
> anymore, and stuff like that.
>
> To some extent, what you fear has already happened, and we could learn
> from that.
>

Re: router worms and International Infrastructure

[Florian Weimer]

* Gadi Evron:

> I would really like to hear some thoughts from the NANOG community on 
> threats such as the one described above. Let us not get into an argument 
> about 0-days and consider how many routers are actually patched the 
> first... day.. week, month? after a vulnerability is released.

The bad guys obviously aren't interested in taking down the Internet.
I wouldn't worry too much. 8-)

> I don't want the above to sound as FUD. My point is not to yell "death 
> of the Internet" but rather to get some people moving on what I believe 
> to be a threat, and considering it on a broader scale is LONG over-due.

I would ask some people who have experienced meltdowns on large-scale
networks, due to Slammer, Blaster or something else.  Basically, what
do you do when you don't have management access to your network gear
anymore, and stuff like that.

To some extent, what you fear has already happened, and we could learn
from that.

IOS worm clarification

[J. Oquendo]

/
From: Andrei Mikhailovsky <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] Cisco IOS hacked?

Hello,

Being a co-author of the "Hacking Exposed Cisco Networks" book and one
of the co-founders of Arhont Ltd an Information Security Company that is
doing the research for the book on Cisco Devices I have to make the
following comments about the article in SecurityLab.ru:

The russian article (http://www.securitylab.ru/news/240415.php) has been
badly paraphrased from the livejournal of one of the authors/researchers
of the book. As a result of this outrageously inaccurate paraphrasing of
the article many confusions and misunderstandings have been circling on
the security related sources and mailing lists.


Some of the issues addressed in the article are true and Arhont is
currently preparing a formal advisory that will be sent to PSIRT.


Among the discovered issues are multiple vulnerabilities in EIGRP
implementation. Also, authors have addressed the _theoretical_ aspects
of an algorithm for cross-platform worm that could spread in IOS based
devices. The existence of the practical implementation of such warm is a
complete lie. Let me assure that there has been no development nor the
desire to develop such code by the authors of the book. The theoretical
methodology and algorithms will be also discussed with PSIRT at the
appropriate time.


In addition, there has been some minor inconsistencies of the
livejournal postings that will be soon addressed and edited.

If you have any comments on this topic we would be glad to address them.

--
Andrei Mikhailovsky
Arhont Ltd - Information Security
/




=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89

"Just one more time for the sake of sanity tell me why
 explain the gravity that drove you to this..." Assemblage

209.68.1.140 (209.68.1.0 /24) blocked by bellsouth.net for SMTP

[Alan Spicer]

I wonder if anyone with Bellsouth.net can tell me why this ip or /24

209.68.1.140 (209.68.1.0 /24)

would be blocked from sending SMTP to bellsouth.net customers.

Off-list reply is fine...

---
Alan Spicer ([EMAIL PROTECTED]) 

Requst for tech/peering contact to Qwest, Bresnan/ATT Worldnet(?) (for Montana)

[Michael Loftis]

Please reply privately, off-list...

I know this is probably not the best place, but Qwest, being Qwest, if I 
call their main numbers and try to ask about peering, they do 
s/peering/transit/ and route me to sales.  I need to speak to someone in 
Qwest about peering at NWIX in Missoula, MT -- http://www.nwix.org/  -- 
Modwest (my employer) has a decent number of local customers on both of 
these providers networks, and employees being serviced on Bresnan's 
network.  Bresnan I know has IP gear here in the facility, I just need to 
get the contact of someone who has the authority to get them plugged into 
NWIX in Missoula and setup a BGP peering session.


I have a sales contact with Bresnan, but, if Bresnan's network guys/gals 
are on here and listening, this could hasten the process.


Qwest I know has a cabinet with an ONS15454, however, I'm not sure about 
IP.  I'm not requesting global peering for either of them (we're just a 
small content/hosting provider) however I'd like to atleast have Montana 
customers/local customers see us via the direct link rather than having to 
go out one of our transit links.


Thanks again everyone, I now return you to your (err.. quasi?) operational 
content! :)


--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Google seeks GoogleNet bids?

[Fergie (Paul Ferguson)]

I'm kind of surprised that I hadn't seem mention of it
here before now, but Om Malik points out in his blog that
Google is reviewing bids for it's natioal DWDM network:

 http://gigaom.com/2005/09/19/google-asks-for-googlenet-bids/

- ferg

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 [EMAIL PROTECTED] or [EMAIL PROTECTED]
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: IOS exploit

[Michael . Dillon]

> > exploit of sorts has been published. My Russian is so so, not good 
> > enough
> > to make sense it a majority of what was posted.

> http://www.translate.ru/url/tran_url.asp?lang=ru&url=http%3A%2F% 

Do you honestly believe that this URL enables one
to "make sense" of the majority of what was posted?

I think most people will get a clearer view by 
reading the three postings from people who know
some Russian.

--Michael Dillon

Re: IOS exploit

[Network Fortius]

On Sep 19, 2005, at 9:23 AM, J. Oquendo wrote:




"Supposedly"/"Allegedly"/"Theoretically", rumor mill has it that a  
worm
exploit of sorts has been published. My Russian is so so, not good  
enough

to make sense it a majority of what was posted.




http://www.translate.ru/url/tran_url.asp?lang=ru&url=http%3A%2F% 
2Fwww.securitylab.ru%2Fnews% 
2F240415.php&direction=re&template=General&cp1=NO&cp2=NO&autotranslate=o 
n&transliterate=on&psubmit2.x=45&psubmit2.y=17


Stef
Network Fortius, LLC

[Fwd: Cisco IOS hacked?]

[Gadi Evron]

Here's something from bugtraq on it.

Gadi.
--- Begin Message ---
today news on SecurityLab.ru (only in russian):

http://www.securitylab.ru/news/240415.php

* break CRC on CISCO IOS
* Desgin Mechanism of cross-platform worm for IOS device.
*  Run IRC server on 2600 CISCO.
* Found more vulnerabilities in EIGRP protocol.

and some more...

Online translate from Russian:

http://www.translate.ru/url/tran_url.asp?lang=ru&url=http%3A%2F%2Fwww.securitylab.ru%2Fnews%2F240415.php&direction=re&template=General&cp1=NO&cp2=NO&autotranslate=on&transliterate=on&psubmit2.x=45&psubmit2.y=17

--- End Message ---

router worms and International Infrastructure [was: Re: IOS exploit]

[Gadi Evron]

[EMAIL PROTECTED] wrote:

Reading through the original Russian posting here
http://www.securitylab.ru/news/240415.php&direction=re&template=General&cp1=
It seems that someone has built an IOS worm that
follows an EIGRP vector from router to router.


A while back I emailed the following text to a closed mailing list. I 
figure now that quite a few cats are out of the bag it is time to get 
more public attention to these issues, as the Bad Guys will very soon 
start doing just that.


Ciscogate by itself ALONE, and now even just a story about worms for 
Routers is enough for us to be CLEAR that worms will start coming out. 
We do learn from history.


So.. as much as people don't like to talk much on the issues involving 
the so-called "cooler" stuff that can be done with routers, now is the 
time to start.


Here is one possible and simple vector of attack that I see happening in 
the future. It goes down-hill from there.


I wrote this after the release of "the three vulnerabilities", a few 
months back. Now we know one wasn't even just a DDoS, and that changes 
the picture a bit.


Begin quoted text ->>>

More on router worms - let's take down the Internet with three public
POCs and some open spybot source code.
--

People, I have given this some more thought.

Let's forget for a second the fact that these vulnerabilities are 
dangerous on their own (although it's a DoS), and consider what a worm, 
could cause.


If the worm used the vulnerability, it would shoot itself in the leg as 
when network is down, it can't spread.


Now, imagine if a VX-er will use an ancient trick and release the worm, 
waiting for it to propagate for 2 or 3 days. Then, after that seeding 
time when the say.. not very successful worm infected only about 30K 
machines around the world, each infected host will send out 3 "One 
Packet Killers" as I like to call them to the world.


Even if the packet won't pass one router, that one router, along with 
thousands of others, will die.


Further, the latest vulnerabilities are not just for Cisco, there is a 
"One Packer Killer" for Juniper as well.


So, say this isn't a 0-day. Tier-1 and tier-2 ISP's are patched (great 
mechanism to pass through as these won't filter the packed out if it is 
headed somewhere else), how many of the rest will be up to date?


Let's give the Internet a lot of credit and say.. 60% (yeah right).

That leaves us with 30% of the Internet dead, and that's really a bad 
scenario as someone I know would say.


Make each infected system send the one packet spoofed (potentially, not 
necessarily these vulnerabilities) and it's hell. Make them send it 
every day, once! And the net will keep dying every day for a while.


As a friend suggested, maybe even fragment the packet, and have it 
re-assembled at the destination, far-away routers (not sure if that will 
work).


These are all basic, actually very basic, techniques, and with the 
source to exploits and worms freely available
We keep seeing network equipment vulnerabilities coming out, and it is a 
lot "cooler" to bring down an ISP with one packet rather than with 
1,000,000,000,000,000.


I am sure the guys at Cisco gave this some thought, but I don't believe 
this is getting enough attention generally, and especially not with 
AV-ers. It should.


This may seem like I am hyping the situation, which is well-known. Still 
well-known or not, secret or not, it's time we prepared better in a 
broader scale.


How?

Gadi.

->>> End quoted text.

I would really like to hear some thoughts from the NANOG community on 
threats such as the one described above. Let us not get into an argument 
about 0-days and consider how many routers are actually patched the 
first... day.. week, month? after a vulnerability is released.


Also, let us consider the ever decreasing vulnerability-2-exploit time 
of development.


I don't want the above to sound as FUD. My point is not to yell "death 
of the Internet" but rather to get some people moving on what I believe 
to be a threat, and considering it on a broader scale is LONG over-due.


The cat is out of the bag, as as much as I avoided using "potentially" 
and "possibly" above to pass my point.. this is just one possible 
scenario and I believe we need to start getting prepared to better 
defending the Internet as an International Infrastructure.


As I am sure that this will be an interesting discussion, I am also sure 
this will eventually derail to a pointless argument over an un-related 
matter, here on NANOG.
I'd appreciate if people who are interested would also email me off-list 
so that we can see how we can perhaps proceed with some activity.


Thanks,

Gadi Evron.

--
Available for consulting:
+972-50-5428610 / [EMAIL PROTECTED]

Re: IOS exploit

[Michael . Dillon]

Reading through the original Russian posting here
http://www.securitylab.ru/news/240415.php&direction=re&template=General&cp1=
It seems that someone has built an IOS worm that
follows an EIGRP vector from router to router.

I would say that means that enterprise networks
are in more immediate danger than ISPs, however...
This could be the first of many.

The article does say that this is based on cross
platform exploits but it isn't clear whether they
mean "across different Cisco platforms" or whether
there is some way for PCs to infect routers.

The article has the tone of something written by
a 3rd party therefore some of the facts may be a bit
twisted. They do use this opportunity to point out
that security through obscurity ain't all it's 
cracked up to be.

Advice for reading Russian. When you get into difficulty,
run the Russian through a machine translator using the
PROMT engine like http://translation1.paralink.com
and then GO BACK AND RE-READ the original Russian.
Your brain will now be able to make a more accurate
translation on the second pass. 

--Michael Dillon

Re: Article - "skype killer" carrier grade app filter

[Suresh Ramasubramanian]

On 19/09/05, Christian Kuhtz <[EMAIL PROTECTED]> wrote:
> I read the draft stuff that has been floating around as not looking
> kindly on such things, but that could be wishful thinking on my part.

He does claim he has every idea of moving offshore

-srs

Re: Article - "skype killer" carrier grade app filter

[Christian Kuhtz]

Suresh Ramasubramanian wrote:


Cites nanog posts and presentations to prove that skype is a bandwidth hog
 

Pfft.  Any other vendor making similiar products could belch out the 
same marketeering spleek  The question is whether the regulatory 
environment today and in the future will ever permit such manipulation.  
I read the draft stuff that has been floating around as not looking 
kindly on such things, but that could be wishful thinking on my part.



The ceo of this company is apparently ex founder-CTO of NAP of the Americas.
 


He (Steve Odom) is "only" chairman of the board today (changed 8/1/05).

Best regards,
Christian

Article - "skype killer" carrier grade app filter

[Suresh Ramasubramanian]

Cites nanog posts and presentations to prove that skype is a bandwidth hog

The ceo of this company is apparently ex founder-CTO of NAP of the Americas.

--srs
-- 
Suresh Ramasubramanian ([EMAIL PROTECTED])

[IP] The Inquirer: Anti-Skype software kills IM, P2P too
From:  David Farber <[EMAIL PROTECTED]>
To: Ip Ip 
Date: Mon Sep 19 19:53:14 2005
   
Begin forwarded message:

From: Bob Drzyzgula <[EMAIL PROTECTED]>
Date: September 19, 2005 9:47:43 AM EDT
To: David Farber <[EMAIL PROTECTED]>
Cc: Ip Ip 
Subject: The Inquirer: Anti-Skype software kills IM, P2P too



  

| Anti-Skype software kills IM, P2P too
| Bandwidth bandsaw released
| By: Doug Mohney
|
| Monday 19 September 2005, 07:14
|
| LAST WEEK, Verso Technologies (www.verso.com)
| announced the rollout of a "carrier-grade applications
| filter" that can block so-called bandwidth drains
| such as Skype, P2P messaging, streaming media, and
| instant messaging.
|
| Skype is singled out in the headline of the press
| release. It's not a P2P blocker, it's a "Skype
| Filtering Technology."
|
| Verso CEO Monty Bannerman, founding CTO of the NAP of
| Americas, says service providers are gung-ho about
| his new product offering. As a "free" service,
| Skype is raiding the business model of service
| providers that want to roll out VoIP services for
| their customers. "They're all telling me they hate
| Skype and they're telling me that they want to do
| something about Skype," said Bannerman in a telephone
| interview. "If you have something in your network that
| is costing you money and raiding your business model,
| I assure you you're going to do something about it."
|
| Bannerman claims that Skype and other P2P applications
| were generating up to 30 per cent of existing
| network traffic load as of last year according to
| presentations at the North American Network Operators
| Group (NANOG). Since a revenue-based service provider
| isn't making any money off that traffic load, it's
| not a good thing, especially if they plan to offer
| their own flavor of VoIP to their customer base. Since
| making the announcement, Verso has received a number
| of phone calls from existing customers as well as
| intrigued service providers.
|
| Could this technology be used to block Vonage
| service? "Sure," said Bannerman. "But we wouldn't do
| that." Bannerman drew a distinction between the more
| heavily US-regulated Vonage and Skype, saying that
| they were "different," with Vonage required to provide
| E-911 service and abide by other FCC regulations,
| while Skype had no such state-side regulation. He
| believed he had a shot at selling some of his boxes
| to Vonage in order for that company to monitor
| traffic flow.
|
| Figuring how to measure and block Skype has been a
| significant challenge, since the application has been
| difficult to measure. Verso has spent over a year
| and four engineering attempts to develop a platform
| capable of detecting, managing, and controlling
| Skype. "We are better than anyone else at this moment
| in time in detecting Skype and doing something with
| it, including turning it off."
|
| When asked if current FCC rulings and upcoming
| American federal legislation to prevent application
| blocking of any type would affect selling the
| Skype-blocker in the States, Bannerman didn't seem
| to be worried. "The World Wide Web isn't just about
| America, plunk yourself anywhere else," he said. "This
| is a product for the world market," and he pointed
| out that there's a patchwork of regulatory schemes
| around the globe. µ

Re: IOS exploit

[Paul G]

- Original Message - 
From: "J. Oquendo" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 19, 2005 10:23 AM
Subject: IOS exploit


>
>
> "Supposedly"/"Allegedly"/"Theoretically", rumor mill has it that a worm
> exploit of sorts has been published. My Russian is so so, not good enough
> to make sense it a majority of what was posted. A translation made me want
> to yank my hair out.

i'll help with the translation :)

On Sept 9, Andrey Vladimirov (aka dr_nicodimus), known as a co-author of the
book 'Wi-Foo: The Secrets of Wireless Hacking', published information about
the end [result] of a "brainstorm session" aimed at [developing ways of]
exploiting vulnerabilities in software running on Cisco products.

This research has led to the development of techniques which can be used to
inject executable code into Cisco IOS as well as to write exploits and
shellcode for this platform. Methods of implementing a cross-platform worm
targetting IOS have also been developed. A plethora of vulnerabilities have
been discovered in the "firmware" implementation of the routing protocol
EIGRP. As a demonstration, an attack from one Cisco aimed at another was
successful in launching an irc server on the target.

--- not translating the rest, since it's largely non-technical and contains
a derogatory reference to coders in a certain asian country. ---

-p

---
paul galynin

IOS exploit

[J. Oquendo]

"Supposedly"/"Allegedly"/"Theoretically", rumor mill has it that a worm
exploit of sorts has been published. My Russian is so so, not good enough
to make sense it a majority of what was posted. A translation made me want
to yank my hair out.


// CLIP
On September, 19th, 2005

19th September in ? the expert in the field of safety Andrey Vladimirovym
(? dr_nicodimus), known as the co-author of the book " Wi-Foo: The
Secrets of Wireless Hacking ", the information on the termination of "
brain storm ", directed on operation ? in the software of
products of company Cisco has been published.

As a result of research in Cisco IOS and methods of a writing exploit and
shellcode methods of introduction of a code have been developed for this
platform. Mechanisms of realization ... a worm for IOS are
developed."
// END CLIP

Someone set us up the bomb! Translations are horrible. Further down the
road in this article, someone points to "Cisco Games" from an ezine. So
here is that copy with no silly little uploader javafoofoofoo scripting
bs.

www.infiltrated.net/cisco/ciscogames.html

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89

"Just one more time for the sake of sanity tell me why
 explain the gravity that drove you to this..." Assemblage

Re: IPv6 BGP Peering

[Christian Kuhtz]

Mark Radabaugh wrote:


What is the state of IPv6 BGP peering with US transit providers?

Questions to sales / tech reps are generally met with "I heard we were
working on something" and that's as far as I have made it so far.  


The routing table shows UUNet, Verio, Sprint and a few other transit
providers but I am not having much luck finding contact or setup
information for those providers specific to IPv6. 
 


Uh, the whois6 registry has TONS of info of that sort.

Thanks,
Christian

Re: OT - Vint Cerf joins Google

[JORDI PALET MARTINEZ]

It seems that the list doesn't like the attachments, anyway, the text show
the results for the awstats.


Hi,

Sorry the late answer, traveling and overbooked ... My reply below, in-line.

Regards,
Jordi




> De: Paul G <[EMAIL PROTECTED]>
> Responder a: <[EMAIL PROTECTED]>
> Fecha: Mon, 12 Sep 2005 00:54:25 -0400
> Para: 
> Asunto: Re: OT - Vint Cerf joins Google
> 
> 
> 
> - Original Message -
> From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, September 12, 2005 12:30 AM
> Subject: Re: OT - Vint Cerf joins Google
> 
>> The last figure that I remember, very impressive, was in April 2004, when
>> the estimated number of hosts using 6to4 on Windows hosts was calculated
> as
>> 100.000.000 (extrapolated from measurements). This is not including hosts
>> with have native support or use other transition mechanism such as
>> configured tunnels, ISATAP, 6over4, or Teredo (behind NAT).
> 
> this figure seems to be completely over the top. i would be interested in
> seeing those 'measurements', an explanation of why they are statistically
> representative and the method of extrapolation. perhaps it was a typo and,
> instead of 'extrapolation', they really meant 'exaggeration'? that would
> make more sense ;]

The paper is here:

http://portal.acm.org/citation.cfm?id=1052812.1052821

I also know the author, and I'm sure is not exaggerating.

> 
>> We notice in our web servers (which are dual stack), incredible amounts of
>> IPv6 traffic, increasing month by month.
> 
> please define incredible using a non-subjective measurement system -
> absolute counts and percentages of total traffic will do. as stated above, i
> would likewise be interested in knowing how representative your traffic is
> of general internet usage. as an example, i would expect web servers for an
> incredibly popular site discussing v6 to have a disproportionate amount of
> v6 traffic.

Just look at the attached stats from this year in one of our web sites. Just
one, and not the one which has the bigger ratio of IPv6 vs. IPv4 traffic. Is
not an IPv6 site, just one of our customers. Can't say how much
representative is vs. Internet traffic, but for me is enough.

The file total.tiff includes ALL the traffic to the server (IPv4 and IPv6),
while the other one (ipv6_only) is just IPv6 traffic. If you compare what is
only IPv4 (total-IPv6) vs. IPv6, we have:

IPv4IPv6%
Users   118.41 GB   10.38 GB8.77
Robots  253.65 GB2.64 GB1.04

Conclusion: The users traffic is rising. No robots support IPv6 today
(probably this could change with people like Google and others doing IPv6).

Different conclusions can be extracted looking at the number of visitors,
visits, pages, hits, etc.

Is clear, that this depends on the user profile, may be even the region ? In
some regions the awareness has been much stronger (and probably successful)
and more users turn on IPv6 in their clients.

> 
>> Do you want to guess what will happen with Vista, which comes with IPv6
>> enabled by default ?
> 
> i don't like guessing, but if i were pressed, drunk or otherwise
> intoxicated, i'd say default support in client software is not the single
> bottleneck - being able to purchase v6 transit and have your v6 work as well
> as your v4 is another one that you can't really get around. i'm not up to
> date on these things, has someone figured out how we're multihoming with v6
> yet and, more importantly, got vendors to agree on and implement it?
> 

I disagree here. If the clients have IPv6 support, even if tunneled, which
is enabled most of the time automatically (6to4, Teredo, others), the
traffic is already increasing specially peer to peer. Of course, the quality
is not so good as having native support, but some times it works much better
that having to trouble with NAT boxes and so on.

> -p
> 
> ---
> paul galynin
> 






The IPv6 Portal: http://www.ipv6tf.org

Barcelona 2005 Global IPv6 Summit
Information available at:
http://www.ipv6-es.com

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the use of the 
individual(s) named above. If you are not the intended recipient be aware that 
any disclosure, copying, distribution or use of the contents of this 
information, including attached files, is prohibited.

Marketing ideas for ISPs

[Kim Onnel]

Hello,

I would like to collect some ideas from you experinced folks on new
ideas to push for an ISP that wants to add revenues by adding new
service offering or attracting customers with VAS


1) MPLS VPNs: we only provide connectivity, what else could we do, on the top of my head is:
    a) QoS 

2) Internet: we basicly provide ADSL for residential and SDSL for corporate
  
3) Security: we offer nothing, just configuring firewalls for customers on their premises
    a) Customers blackhole their traffic
    b) Analyze customers traffic using sinkholes
    c) Managed firewalls/ids
    d) RADIUS based filters(ACL) for dialup/adsl 
    

4) DataCenter: we do normal datacenter, emails, hosting.

    a) Hosting a mirror of freshmeat and sourceforge, tucowns, download.com 
    b) Netflow analyzers: selling reports to customers or the Arbor Model

The points i have under each is things we dont have, i would like you
to share with me your experiences with services from the above,
feasability, and if there are supporting documents to be able to
pullout a presentation, 

All your private feedback is welcomed.

Thanks
 

Katrina Aid Request

[John Souvestre]

Hello.

I don't often post to this list, but some here know me.  They can verify what
I have to tell you.

I'm an ISP in Metairie, Jefferson Parish.  The Co-Lo where my equipment is
located is about 5 miles west of the center of New Orleans.  To be precise, it
is at 106 Metairie Lawn Dr #300, Metairie LA 70001.  It is run by CommTech
ESP.

The ISPs housed there are CommTech (who is also an ISP, commtechesp.com),
Digicomm Systems (webdsi.com), and Southern Star (sstar.com) along with parts
of Bayou Tech (teche.net), Skycom1 (skycom1.com), and TriParish
(triparish.net).

The building and the equipment made it through the storm OK.  Like everyone
else in the area, we lost commercial power during the storm.  We ran on the
generator for 11 days.

Because of the extended run time, some of the ISPs agreed to kick in and help
pay the fuel bill since it was more than the Co-Lo could afford by itself.  It
cost about $2500 per day for those 11 days.

We are all small ISPs, ranging from 1 to 10 employees.  This additional cost,
on top of everything else, is a heavy burden.  If you would like to help us
with this expense, we would certainly appreciate it.

If you are so inclined, you can send mail to CommTech ESP's temporary office
which is set up at Bayou Tech's location.  The address is:

CommTech ESP c/o Bayou Tech
Attn:  Jimmy Roussel
314 Chennault St
Morgan City LA 70380

Thank you.

John

John Souvestre - Southern Star - (504) 888-3348 - www.sstar.com

Re: Belarus ISP contact

[Michael . Dillon]

> Excuse the strange post, but I'd like to contact anyone working for a 
> Ukrainian and more importantly Belarussian ISP's, alternatively if 
> you know of someone please email me.

Go to http://www.ripe.net and try a whois search for
either Ukraine or Belarus. This will give you a bunch
of contact points. 

You could also try http://www.google.com.ua/
or http://www.google.by because both offer
the option of only returning sites in Ukraine
or Belarus.

--Michael Dillon

RE: Calling all NANOG'ers - idea for national hardware price quote registry

[Michael . Dillon]

> Frankly, I've been rather surprised at the level of the negativity that
> has come across towards this idea in several of the posts and I'm not
> sure why that is.

It is because you are talking about a site which
does not exist.

It is because when people are intrigued by the 
idea and want to know more, there is no website
where they can read further details.

It is because this is complete vaporware from
your imagination.

These things do not play very well on a list where
people are building and operating real networks
and solving real problems.

--Michael Dillon